refactor: refactor

action/dist/main/index.js

@@ -61175,20 +61175,26 @@ runAction(async () => {
  * @return token
  */
 async function getAccessToken(tokenRequest) {
+    const idTokenForAccessManager = await core.getIDToken(config.api.url.hostname)
+        .catch((error) => {
+        if (error.message === 'Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable') {
+            throw new Error(error.message + ' Probably job permission `id-token: write` is missing');
+        }
+        throw error;
+    });
     let requestSigner;
     if (config.api.auth?.aws) {
         requestSigner = new dist_cjs.SignatureV4({
             sha256: main.Sha256,
             service: config.api.auth.aws.service,
             region: config.api.auth.aws.region,
             credentials: (0,credential_providers_dist_cjs.fromWebToken)({
-                webIdentityToken: await core.getIDToken('sts.amazonaws.com'),
+                webIdentityToken: idTokenForAccessManager,
                 roleArn: config.api.auth.aws.roleArn,
                 durationSeconds: 900, // 15 minutes are the minimum allowed by AWS
             }),
         });
     }
-    const idTokenForAccessManager = await core.getIDToken(config.api.url.hostname);
     return await httpRequest({
         method: 'POST', requestUrl: new URL('/access_tokens', config.api.url).href,
         data: JSON.stringify(tokenRequest),

action/docs/access-token.owner-template.yaml

@@ -1,38 +1,40 @@
-origin: GITHUB_REPO_OWNER/.github-access-token # e.g. qoomon/.github-access-token
+origin: __CHANGE_ME_TO_GITHUB_REPO_OWNER__/.github-access-token # e.g. qoomon/.github-access-token
 
-allowed-subjects: [] # An empty list means that all subjects are allowed
+# An empty list means that all subjects are allowed e.g. ['repo:qoomon/*:**']
+# Wildcards: '*' matches everything except ':', '**' matches everything
+allowed-subjects: []
 
 # Configuration which permissions are allowed to be managed by the repositories themselves
 allowed-repository-permissions: # https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
   # actions: write # read or write
   # actions-variables: write # read or write
   # administration: write # read or write - BE AWARE 'administration' scope can not be completely limited to a repository e.g. create new repositories is still possible
-  # checks : write # read or write
-  # codespaces : write # read or write
-  # codespaces-lifecycle-admin : write # read or write
-  # codespaces-metadata : write # read or write
+  # checks: write # read or write
+  # codespaces: write # read or write
+  # codespaces-lifecycle-admin: write # read or write
+  # codespaces-metadata: write # read or write
   # codespaces-secrets: write # write
-  # contents : write # read or write
-  # custom-properties : write # read or write
-  # dependabot-secrets : write # read or write
-  # deployments : write # read or write
-  # discussions : write # read or write
-  # environments : write # read or write
-  # issues : write # read or write
-  # merge-queues : write # read or write
-  # packages : write # read or write
-  # pages : write # read or write
-  # projects : write # read or write or admin
-  # pull-requests : write # read or write
-  # repository-advisories : write # read or write
-  # repository-hooks : write # read or write
-  # repository-projects : write # read or write or admin
-  # secret-scanning-alerts : write # read or write
-  # secrets : write # read or write
-  # security-events : write # read or write
-  # statuses : write # read or write
-  # team-discussions : write # read or write
-  # vulnerability-alerts : write # read or write
+  # contents: write # read or write
+  # custom-properties: write # read or write
+  # dependabot-secrets: write # read or write
+  # deployments: write # read or write
+  # discussions: write # read or write
+  # environments: write # read or write
+  # issues: write # read or write
+  # merge-queues: write # read or write
+  # packages: write # read or write
+  # pages: write # read or write
+  # projects: write # read or write or admin
+  # pull-requests: write # read or write
+  # repository-advisories: write # read or write
+  # repository-hooks: write # read or write
+  # repository-projects: write # read or write or admin
+  # secret-scanning-alerts: write # read or write
+  # secrets: write # read or write
+  # security-events: write # read or write
+  # statuses: write # read or write
+  # team-discussions: write # read or write
+  # vulnerability-alerts: write # read or write
   # workflows: write # write
 
 # Grant owner scoped permissions (owner permission or owner wide repository permissions)
@@ -63,30 +65,30 @@ statements:
     # actions: write # read or write
     # actions-variables: write # read or write
     # administration: write # read or write - BE AWARE 'administration' scope can not be completely limited to a repository e.g. create new repositories is still possible
-    # checks : write # read or write
-    # codespaces : write # read or write
-    # codespaces-lifecycle-admin : write # read or write
-    # codespaces-metadata : write # read or write
+    # checks: write # read or write
+    # codespaces: write # read or write
+    # codespaces-lifecycle-admin: write # read or write
+    # codespaces-metadata: write # read or write
     # codespaces-secrets: write # write
-    # contents : write # read or write
-    # custom-properties : write # read or write
-    # dependabot-secrets : write # read or write
-    # deployments : write # read or write
-    # discussions : write # read or write
-    # environments : write # read or write
-    # issues : write # read or write
-    # merge-queues : write # read or write
-    # packages : write # read or write
-    # pages : write # read or write
-    # projects : write # read or write or admin
-    # pull-requests : write # read or write
-    # repository-advisories : write # read or write
-    # repository-hooks : write # read or write
-    # repository-projects : write # read or write or admin
-    # secret-scanning-alerts : write # read or write
-    # secrets : write # read or write
-    # security-events : write # read or write
-    # statuses : write # read or write
-    # team-discussions : write # read or write
-    # vulnerability-alerts : write # read or write
+    # contents: write # read or write
+    # custom-properties: write # read or write
+    # dependabot-secrets: write # read or write
+    # deployments: write # read or write
+    # discussions: write # read or write
+    # environments: write # read or write
+    # issues: write # read or write
+    # merge-queues: write # read or write
+    # packages: write # read or write
+    # pages: write # read or write
+    # projects: write # read or write or admin
+    # pull-requests: write # read or write
+    # repository-advisories: write # read or write
+    # repository-hooks: write # read or write
+    # repository-projects: write # read or write or admin
+    # secret-scanning-alerts: write # read or write
+    # secrets: write # read or write
+    # security-events: write # read or write
+    # statuses: write # read or write
+    # team-discussions: write # read or write
+    # vulnerability-alerts: write # read or write
     # workflows: write # write

action/docs/access-token.repo-template.yaml

@@ -1,4 +1,4 @@
-origin: GITHUB_REPO_OWNER/GITHUB_REPO_NAME # e.g. qoomon/sandbox
+origin: __CHANGE_ME_GITHUB_REPO_OWNER__/GITHUB_REPO_NAME # e.g. qoomon/sandbox
 
 # Grant repository scoped permissions
 # NOTE: Every statement will always implicitly grant `metadata: read` permission.
@@ -28,30 +28,30 @@ statements:
       # actions: write # read or write
       # actions-variables: write # read or write
       # administration: write # read or write - BE AWARE 'administration' scope can not be completely limited to a repository e.g. create new repositories is still possible
-      # checks : write # read or write
-      # codespaces : write # read or write
-      # codespaces-lifecycle-admin : write # read or write
-      # codespaces-metadata : write # read or write
+      # checks: write # read or write
+      # codespaces: write # read or write
+      # codespaces-lifecycle-admin: write # read or write
+      # codespaces-metadata: write # read or write
       # codespaces-secrets: write # write
-      # contents : write # read or write
-      # custom-properties : write # read or write
-      # dependabot-secrets : write # read or write
-      # deployments : write # read or write
-      # discussions : write # read or write
-      # environments : write # read or write
-      # issues : write # read or write
-      # merge-queues : write # read or write
-      # packages : write # read or write
-      # pages : write # read or write
-      # projects : write # read or write or admin
-      # pull-requests : write # read or write
-      # repository-advisories : write # read or write
-      # repository-hooks : write # read or write
-      # repository-projects : write # read or write or admin
-      # secret-scanning-alerts : write # read or write
-      # secrets : write # read or write
-      # security-events : write # read or write
-      # statuses : write # read or write
-      # team-discussions : write # read or write
-      # vulnerability-alerts : write # read or write
+      # contents: write # read or write
+      # custom-properties: write # read or write
+      # dependabot-secrets: write # read or write
+      # deployments: write # read or write
+      # discussions: write # read or write
+      # environments: write # read or write
+      # issues: write # read or write
+      # merge-queues: write # read or write
+      # packages: write # read or write
+      # pages: write # read or write
+      # projects: write # read or write or admin
+      # pull-requests: write # read or write
+      # repository-advisories: write # read or write
+      # repository-hooks: write # read or write
+      # repository-projects: write # read or write or admin
+      # secret-scanning-alerts: write # read or write
+      # secrets: write # read or write
+      # security-events: write # read or write
+      # statuses: write # read or write
+      # team-discussions: write # read or write
+      # vulnerability-alerts: write # read or write
       # workflows: write # write

action/src/action-main.ts

@@ -58,6 +58,13 @@ async function getAccessToken(tokenRequest: {
   repositories: string[] | undefined
   owner: string | undefined
 }): Promise<GitHubAccessTokenResponse> {
+  const idTokenForAccessManager = await core.getIDToken(config.api.url.hostname)
+      .catch((error) => {
+        if (error.message === 'Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable') {
+          throw new Error(error.message + ' Probably job permission `id-token: write` is missing');
+        }
+        throw error;
+      });
 
   let requestSigner;
   if (config.api.auth?.aws) {
@@ -66,14 +73,13 @@ async function getAccessToken(tokenRequest: {
       service: config.api.auth.aws.service,
       region: config.api.auth.aws.region,
       credentials: fromWebToken({
-        webIdentityToken: await core.getIDToken('sts.amazonaws.com'),
+        webIdentityToken: idTokenForAccessManager,
         roleArn: config.api.auth.aws.roleArn,
         durationSeconds: 900, // 15 minutes are the minimum allowed by AWS
       }),
     });
   }
 
-  const idTokenForAccessManager = await core.getIDToken(config.api.url.hostname);
   return await httpRequest({
     method: 'POST', requestUrl: new URL('/access_tokens', config.api.url).href,
     data: JSON.stringify(tokenRequest),
@@ -142,5 +148,3 @@ interface HttpRequest {
   data: string | NodeJS.ReadableStream | null,
   additionalHeaders?: OutgoingHttpHeaders
 }
-
-